当前位置:首页 >> 从业资格考试 >>

Tosato “Relating vehiclelevel and network-level reliability through highlevel fault inject


RELATING VEHICLE-LEVEL AND NETWORK-LEVEL RELIABILITY THROUGH HIGH-LEVEL FAULT INJECTION
F. Corno?, P. Gabrielli+, S. Tosato? Politecnico di Torino - Dipartimento di Automatica e Informatica - Torino, Italy + FIAT Auto - Product & Process Engineering - Integrated Chassis Control - Torino, Italy
?

Abstract
This paper presents some recent results to improve the evaluation of reliability due to network connections in automotive environments. Evaluation is based on the adoption of performance thresholds aiming at detecting performance loss at particular types of fault occurrence. For this activity we modeled the vehicle network at the functional level and then integrated it into a complete vehicle model describing both electronic and mechanical behavior; in this way, it is possible to build an automated fault injection environment to forecast the effects of faults at the network level on the vehicle dynamics. Furthermore, an on-line threshold manager permits to interrupt a single simulation when a fault activates an error threshold, reducing the overall campaign simulation time .

1. Introduction
The recent evolution of vehicle control systems is characterized by the adoption of an increasing number of intelligent control units within a car. These units control several safety-critical functions such as braking and steering: therefore, they must be designed and implemented in such a way to guarantee a sufficient level of reliability. The network in charge of their communications is a critical module from that point of view, since it can seriously affect the reliability of the whole system, and its malfunctioning create vehicle performance loss. A previous paper [1] presents the design of a fault injection environment aimed at evaluating the effects of faults within the network in terms of vehicle dynamics. The vehicle performance loss evaluation, also in presence of faults, involves the understanding of the maximum duration of faults manageable by the control strategy units. This is possible by defining some thresholds on particular vehicle dynamic waveforms. The quantitative determination of error thresholds can be performed via fault injection with the methodology illustrated in this paper. During fault injection, thresholds permit to stop simulations, and generating activation reports for the designers. Evaluating the results from thresholds activations, we may determine safety specifications for each signal in terms of maximum latency time or maximum transmission delay.

The main goal of this paper is to extent previous results enhancing them with of on-line threshold manager able to evaluate vehicle performance and analyze, adopting a topdown approach, which combinations fault of start time and duration cause particularly critical vehicle behaviors. For analyzing the impact of network faults, we resorted to a fault injection strategy. We developed a fault injection environment exploiting: a vehicle model complete with mechanical parts and electronic control strategies, a functional network model able to inject faults and evaluate their consequences, a set of critical maneuvers and some performance thresholds defined over the vehicle nominal behavior. The obtained results are in terms of: ? Faults effects statistics relating each fault parameters with the vehicle-level performance loss. ? Lower level thresholds that retrace performance results back to the lower level specification, in terms of maximum latency time or delay time. The methodological schema of this research is presented in figure 1.
Vehicle Maneuvers

Fault List FAULT INJECTION

Thresholds

Violations

Fault Statistics

Figure 1: Methodological schema In Section 2 we present some related works. In Section 3 we present a short introduction about the vehicle model used for this activity. In Section 4 we present the fault injection system architecture, with particular reference to network modeling and threshold management. In Section 5 we present some experimental results on the Vehicle Dynamic Controller (VDC) [2] system, which aids the driver, with its automatic intervention, when the vehicle looses stability. In Section 6 we outline the work in progress and draw some conclusions.

2. Related works
Several fault injection tools and environments have been proposed in the past. One of physical fault injection tool is FIAT: this tool permits to insert faults in a LAN cluster using other nodes as a tester system [3]. More recently, the FERRARI system [4] consists of a manager module that coordinates various operational modules for initialization, pre-runtime fault injection, data collection and analysis, and user interaction. HARTS [5] is a fault injection tool that permits to generate faults in a distributed real time system, while FITS [6] allow to inject faults in a time-triggered system, working at the Control Unit operating system layer. MEFISTO [7] is a simulation-based techniques that permits to inject faults into VHDL models. Other research activities also targeted fault injection in automotive time-triggered system for X-by-Wire applications [8]. A recent paper [9] also analyzes the dependability of the CAN Protocol and of a hardware implementation of a CAN controller using emulation based fault injection campaigns. The architecture presented in this paper evaluates system behavior and performs fault injection at the vehicle level: our level of abstraction is higher than the cited papers, to be able to evaluate vehicle performance in presence of faults, and the injected faults are modeled functionally.
D R I V E R

E N G IN E VDC V E H IC L E & BRAKE

ABS STEER

in p u t

m e c h a n ic a l

e le c tro n ic s

Figure 2: Conceptual Vehicle model

3.1.Input maneuvers A maneuver is a set of inputs that a driver can apply at the vehicle; a maneuver is basically composed of steer angle, brake and gas pedal waveforms. The standard parameters of the maneuvers are specified by International Organization of Standardization (ISO) [10]. For this activity, we focused step-steer maneuver (ISO 7401:2003), which consists in a rapid steering operation (0° to 100° in 0.25s starting at 2.0s) with the vehicle at full speed (100Km/h). Figure 3 shown the typical trend of a steer angle during the ISO 7401:2003 maneuver.

3. Vehicle simulation environment
The adopted model mainly addresses system-level issues and was originally used to study vehicle dynamics in terms of Vehicle Dynamic Controller (VDC) control. The highlevel schema of the vehicle model is composed of three different kinds of blocks which exchange some signals, as shown in figure 2: ? An Input block that contains typical vehicle maneuvers. ? Mechanical blocks that contain vehicle physical equations. ? Electronic blocks that contain control logics. In particular, the Driver block can simulate different kinds of maneuvers; the Vehicle & Brake block implements mechanical chassis equations. Furthermore, two blocks model the electronic components, implementing namely the VDC and ABS (Anti Blocking System) strategies. The correctness of this model has been experimentally validated against actual vehicle behavior [2].

Figure 3: Steer angle trend

3.2.Vehicle dynamics The Vehicle and Brake block contains the mechanical equations of a vehicle. This chassis model uses six degree of freedom: three equations for translation (longitudinal, lateral, pumping) and three are for rotation (roll, pitch, yaw moment); these equations are developed using Lagrange methods. In the step steer maneuver two physical quantities are important: the yaw rate and the sideslip angle. The yaw rate is the variation ratio of yaw angle, that is the angle around the vertical axis of the vehicle. The sideslip angle is the angle between direction of the speed vector and the longitudinal axis of the vehicle. Figures 4

and 5 show the typical behavior of yaw rate and sideslip angle during a ISO 7401:2003 maneuver:

Figure 4: Yaw rate trend

It is necessary furthermore to model the network impact in a way that permits easy integration in existing automotive models. The network model designed in this paper aims at representing the network impact functionally; the characteristics of this model are: ? Vehicle oriented: evaluates performance loss in terms of vehicle dynamics; this network model describes communication structures at the vehicle layer, giving more attention to functional aspects of the CAN network. ? Point to point: the model inserts the characteristics of network influence for each individual Matlab?/Simulink? signal. We used Matlab?/Simulink? because this software is the most used modeling software, and has become a de facto standard for automotive industries. ? Configurable: this model allows configuring the network protocols (e.g., CAN [11] [12], TTP [13]) and speed by setting properties of the block. ? Faultable: the model supports the injection of faults of different kinds, such as signal interruption and noise. For the purpose of our analysis, the network subsystem performs the following operations: ? Samples signals in time. ? Digitally converts signals. ? Introduces faults. 3.5.Network model integration

Figure 5: Sideslip angle trend

3.3.VDC strategy This block describes a VDC strategy developed at Politecnico di Torino [2]. It uses several input signals (steer angle, yaw rate signal, etc.) and generates four braking forces to be applied at the four wheels. This strategy follows a yaw rate ideal target that guarantees vehicle stability. The analysis described in this paper focuses on VDC behavior and performance when input signals are corrupted due to network faults. 3.4.Network models Automotive mechanical models have been typically designed with a point to point communication model; when logic blocks, actuation blocks, vehicle blocks etc. must be integrated in a single model, mechanical designers usually neglect the network presence (as in figure 2), avoiding the use of a shared means of communication. Furthermore, Matlab? does not natively support the automotive network modeling, being its communication links mere variable exchanges (as shown as figure 6).

The network model has been developed to ease its integration in any place within the vehicle model. The module can be inserted in a Simulink connection as a common Simulink? block, as shown in figure 6. The blocks shown in figure 6 are present inside the VDC block of figure 2.
O N / O F F

VDC R EFER EN C E N E T

VDC A C T U A T IO N

S ID E S L IP E S T I M A T IO N

T R A C T IO N E S T I M A T IO N

Figure 6: Integration of network model - yaw-rate corruption application

4. Fault Injection strategy
The main goal of this activity is to evaluate network faults from the point of view of the vehicle performance:

every fault may cause performance loss in terms of vehicle dynamic waveforms. This activity wants to relate performance loss to lower level safety specifications: starting from the vehicle dynamic check, we found which kinds of faults are dangerous for the vehicle stability. By evaluating some specific performance indicators we may quantify (comparing the obtained results with the nominal case) the amount of vehicle loss in terms of dynamic performance degradation. Figure 7 outlines these indicators.
1 2 3 4 5

? ?

2

?
3 4

Figure 7: Performance indexes The indexes are: 1. The maximum value of vehicle yaw-rate. 2. The maximum value of vehicle sideslip angle. 3. The minimum value of vehicle sideslip angle. 4. The maximum value of vehicle lateral acceleration. Increasing maximum values (1,2,4) or decreasing minimum ones (3) means reducing the vehicle stability during the maneuver. The adopted fault model permits the generation of faults modeling the most frequent error causes present in a typical CAN network: ? Noise: when noise corrupts a packet, the CRC code is invalidated, the receiver trashes the packet, and the ECU will use the previous correct value; ? Collisions: when a collision occurs, the ECU with lower priority must wait to retransmit the packet; this means that the ECU signal is delayed, thus introducing a certain amount of delay jitter; ? Disconnection: when an ECU is disconnected from the bus, the signals it computes cannot be received by other ECUs, and all receivers use the previous values as input. This case is named Burst loss. 4.1.Fault Injection System To estimate performance loss, the network model and the vehicle model have been linked in a complete automotive model that supports programmable fault injection [1]. During fault injection campaigns, we are able to vary the start time of a fault, its duration, and the affected signal. Simulation results can be analyzed to evaluate vehicle performance. The characteristics of the fault injection system, whose architecture is represented in figure 8, are: ? Implemented in Matlab?/Simulink?. The fault injection tool is implemented using several Matlab? ?

?

functions that generate fault patterns and call Simulink? simulation. Matlab? provides commands to use the Simulink? solver. Definition of input maneuver. The system allows to simulate the various standard maneuvers by setting parameters from the Driver block. Parametric Generation of fault list. The fault injector engine gets new fault parameters at every simulation; after loading the parameters, it starts the simulation and saves the results. The fault list is stored in a table where each fault is represented by a tuple <Fault_ID, Start_time, Duration, Affected_signal>. During simulation, the fault disables one of the signals that we want to corrupt to evaluate performance loss. Performance definition. To evaluate performance loss, every input maneuver is in relation with some performance indexes, which may be minimum or maximum values of some waveforms, used to save the results and to understand the vehicle performance. Automatic activation of simulation and result storage. The Matlab? functions described above automatically load the new scenario of fault simulation and activate the Simulink? solver to run the simulation; after this, performance indexes are automatically computed and saved. The results are stored in a table as tuples <Fault_ID, PerfIndex1, PerfIndex2, PerfIndex3, …>. Threshold manager: Some Simulink? blocks permit to interrupt simulations in presence of Thresholds activations (as explained in section 4.2)
Maneuver Fault list

Vehicle

Fault Manager
Fault Waveforms

Performance Indexes

Network SIMULINK Tresholds Values Threshold Manager MATLAB FAULT INJECTION Performance Analysis RESULTS

Figure 8: Fault injection system architecture

4.2.Thresholds model To evaluate the simulations results, it’s possible to operate in two different ways; the first uses a off-line postprocessing method, while the research presented in this paper uses an on-line threshold manager. This is a Simulink? block that monitors the vehicle dynamic performance indexes during the simulations, such as yaw rate or sideslip angle, and activates flags when thresholds are violated. Using the on-line checker, we may interrupt

the simulation that violates particular thresholds, saving simulation time. We have implemented two kind of signal thresholds: ? Warning thresholds: when a signal overcomes a warning level; a warning condition means that the vehicle is in a critical state in terms of stability, but active systems succeed to maintain the vehicle stable. ? Error thresholds: when a signal overcomes the error threshold, the vehicle irremediably loses stability. System safety requires that no fault ever overcomes the error thresholds. When error thresholds is activated, the simulation stopped. The threshold manager is shown on figure 9.
T H R E SH O L D VALUES

Figure 10 shows some of the results of the fault injection campaigns. In particular, we show the trend of minimum value of the vehicle sideslip angle (index number 4) for yaw rate and steer angle faults. Tables 1 and 2 show some statistics; particular Table 1 reports the number of errors or warnings occurred, during the yaw-rate and the steer angle fault campaign. For each fault campaign (Fyaw_rate and Fsteer), Table 1 shows the number of error flag activations, the number of 3 to 4 warning flags activation, the number of 1 or 2 warning flags activation, and the number of correct executions. Table 2 shows the statistics of error occurrence: for each fault campaign (Fyaw_rate and Fsteer), table 2 shows the minimum and the maximum fault start time that generated error activation (Tinj_min, Tinj_max), and the minimum and the maximum fault duration that overcame the error threshold.
Sideslip angle minimum peak – yaw rate fault Sideslip angle minimum peak – steer angle fault

V E H IC L E M O D E L

O N -L IN E THRESHOLD M ANA GER
Sideslip minimum peak (%)

O .K .

W A R N IN G

ERROR: STO P SIM U L A T IO N

Duration (s) Fult Start (s) Fult Start (s)

Sideslip minimum peak (%)

Duration (s)

Figure 9: Thresholds Manager

Figure 10: Minimum value of Sideslip angle Fyaw_rate 120 0 103 287 510 Fsteer 19 0 0 491 510 TOTAL 139 0 103 778

At the and of single simulations, results of errors or warning are stored in a table using MATLAB? functions.

5. Experimental Results
To evaluate the effectiveness of the proposed high-level fault injection system, and to illustrate the kind of vehiclelevel considerations that may be drawn from the simulations, we performed a fault injection campaign. The parameters used in the campaign are: ? Fault injection during step–steer maneuver: for the purpose of this paper, the Driver block is used to stimulate the vehicle model with a standard maneuver known to be particularly critical in terms of car safety. To evaluate the VDC behavior we have used transient maneuvers and focused on the step-steer maneuver (ISO 7401:2003). ? Fault list: we generated a fault list by varying Start_time from 2.0s to 2.5s in steps of 0.01s, and Duration from 0.01s to 0.1s in steps of 0.01 seconds. In the following experiments, we concentrate on the Yaw rate and Steer angle signals, input signals of the VDC control strategy. ? Performance indexes: figure 7 outlines performance indexes defined during a nominal (fault free) step-steer maneuver. ? CPU time: with the presence of the on line threshold menager the CPU time has been reduced to 10%.

ERROR 3÷4 WARNINGS 1÷2 WARNINGS O.K. TOTAL

Table 1: Statistics of fault injection campaign Fyaw_rate Fsteer Tinj_min 2.00 2.00 Tinj_max 2.22 2.01 Lmin 0.02 0.01 Lmax 0.1 0.1

Table 2: Statistics of error occurrences Analyzing the results, we may say that the steer angle fault is more dangerous than yaw rate fault, especially when it occurs in the firsts times of maneuver simulation, and in this kind of maneuver the steer angle fault is critical only if it occurs in the firsts times of the simulation. On the other hand, the yaw rate fault is more dangerous for a set of fault durations higher than the steer angle fault: a yaw rate fault is more dangerous than a steer fault when the maneuver is already ongoing.

6. Conclusions
In this paper we described a reliability evaluation methodology based on a high level fault injection

environment suitable to analyze the effects of network faults on the behavior of the vehicle in presence of an online performance threshold manager able to analyze vehicle performance loss at the occurrence of faults. We worked at a high level of abstraction, with the entire vehicle view, because it allows us to evaluate vehicle performance loss. A suitable network model has been modeled, able to support the injection of selected faults, and a complete vehicle model has been used to functionally evaluate vehicle performance loss in case of faults. We designed an on-line threshold manager able to identify during simulation the vehicle performance loss by observing some performance indexes, and to activate suitable error or warning flags. One specific maneuver is considered and used to evaluate the effects of typical faults in the network on the performance and reliability of the vehicle dynamic. We defined performance indexes and performed a fault injection campaign corrupting the yaw-rate and the steer angle signals. The results show the importance of fault injection to analyze worst-case situations during safety interventions of active systems. Furthermore, changing the values of thresholds it is also possible to obtain more complete informations about the best trade-off of thresholds setting; in fact, a too high threshold could not note a dangerous vehicle behavior or a critical fault; on the other hand, a too low threshold could activate wrong error signals.

Australiasian Computer Science Conference, Vol 16 pp. 333-338 [7]. E. Jenn, J. Arlat, M. Rimen, J. Ohlsson, J. Karlsson (1994), Fault Injection into VHDL Models: the MEFISTO Tool, Proc. FTCS-24, pp. 66-75 [8].S. Misbahuddin, N. Al-Holou (2001), - Fault Tolerant Distributed Architectures for In-Vehicle Networks, 2001 SAE Conference, n° 2001-01-0673. [9].J. Perez, M. Sonza Reorda, M. Violante (2003), Accurate Dependability Analysis of CAN-based Networked Systems, 16th symposium on integrated Circuits and System Design. [10].International Organization of Standardization (ISO) , www.iso.ch [11].Can in Automation (CiA) http://www.can-cia.de/can/. [12].Bosch’s Controller Area Network Homepage at http://www.can.bosch.com/. [13].The ttp protocol at http://www.ttagroup.org/ttp /easy_to_read.htm

7. References
[1]. F. Corno, P. Gabrielli, S.Tosato (2003), - System level Analysis of Fault Effect in an Automotive Environment, 18th International Symposium on Defect and Fault Tolerance in VLSI System [2]. M. Velardocchia, A. Sorniotti (2002), Vehicle Dynamics Control (VDC) and Active Roll Control (ARC) Integration to Improve Handling and Comfort, Proc. in Vehicle and Systems Progress in Volgograd International Conference. [3].Z. Segall, D. Vrsalovic, D. Siewiorek, D. Yaskin, J. Kownacki, J. Barton, R. Dancey, A. Robinson, T. Lin, (1988), FIAT - Fault Injection based Automated Testing environment, in `Proc. 18th Int. Symposium on FaultTolerant Computing', IEEE Computer Society, Tokyo, Japan, pp. 102-107. [4].G. A. Kanawati, N. A. Kanawati, J. A. Abraham, (1992), FERRARI: A tool for the validation of system dependability properties, in `Proc. 22nd Int. Symposium on Fault-Tolerant Computing', IEEE Computer Society, Boston, USA, pp. 336-344. [5].K. G. Shin, (1991), `HARTS: a distributed real-time architecture', IEEE Computer 24(5), 25, pp25-35. [6].R. Hexel (2003), FITS - A Fault Injection Architecture for Time-Triggered Systems, Proc. in Research and Practice in Information Technology, Twenty-six


相关文章:
更多相关标签: